How to Extract Group Members from Active Directory and Export It to CSV file

In this article we’ll take a look at few examples of using PowerShell to extract group members from Active Directory different groups. This article should teach you how to build a list of accounts in a specific Active Directory group and export it to a CSV file, which is convenient to process in MS Excel and other Office programs.

Previously, to build a list of users in Active Directory group, you had to use VBS scripts, or DSQuery or CSVDE command-line utilities, which were not flexible enough and convenient.

To interact with Active Directory from PowerShell, Microsoft developed a special module —Active Directory Module for Windows PowerShell. For the first time this module appeared in Windows Server 2008 R2 and in order to use it you must load it into your PowerShell session at first:

Import-Module ActiveDirectory

In Windows Server 2012/R2/Windows Server 2016 this module is automatically installed and loaded when the ADDS (Active Directory Domain Services) role is installed on the server when the server is promoted to a domain controller. In desktop operating systems (Windows 10/Windows 7), the Active Directory Module for Windows PowerShell is included in the Remote Server Administration Tools, which you need to download, install and enable separately.

Please note that in order to use the ActiveDirectory module, you don’t need to be a member of the Domain Admins group, any authenticated domain user can obtain information about Active Directory users and groups using AD PowerShell module.

To get the information about the user accounts that are included in the Active Directory security group, use the Get-ADGroupMember cmdlet.

For example, to display the list of members of the Domain Admins group, run the following command:

Get-ADGroupMember ‘Domain Admins’

If you do not know the exact name of the group, you can display the full list of groups in Active Directory using the command:

Get-ADGgroup -filter * | sort name | select Name

You can display only usernames:

Get-ADGroupMember -Identity ‘Domain Admins’| ft name

If the specified group contains other Active Directory groups, you must use the Recursive parameter to list members of Active Directory based on nested groups.

Get-ADGroupMember -Identity ‘Domain Admins’ -Recursive | ft name

The -recursive switch instructs the Get-ADGroupMember command to parse each nested group and display only objects that are not containers (user or computer). This command will display even those users who do not directly belong to the specified group.

You can display more detailed information about the accounts in this group in this way:

You can use the more complex PowerShell command, which allows you to list all members of a certain domain security group with information about the company, department and job title, followed by sorting and grouping depending on the specific attribute (company):

Here is another useful example. Let’s try to find all AD groups containing the *Admin* keyword in the name, and display the users that are added in these groups. To display only unique objects, use the -uniq argument: